@Cagabi identified a security hole today in emoncms that affects multi-user installations, resulting from the way input process and virtual feed process list where set. I have since fixed the issue and the fix is now available in the latest stable and master branch of emoncms.
The input processing part of the issue allowed an emoncms user to add a process to an input that referenced a feed of another emoncms user on the same installation allowing both writing and reading of data - but only in realtime, historic data could not be overwritten or read. No meta data feed name, userid etc could be read. This could be achieved with a call to the underlying input set processlist API.
The virtual feed part allowed a user to access the full history of a feed from any other user on the installation by adding the source feed process with the feedid of any feed, which could be done with a call again to the underlying API.
Its worth noting that for emonpi and emonbase installations running emoncms locally with a single emoncms account created (default install) this issue cannot be exploited. Which means this is only an important update if your running a multi-user installation where the potentially exploiting user has an emoncms account.
The input processing part of the issue was present on emoncms.org (which has now been fixed), I ran a script to verify the content of all input process lists on all emoncms.org inputs and did not identify any processlists referencing feeds or inputs from other accounts.